Dans un cadre de gestion Office 365, il est courant de devoir surveiller ou contrôler l’activité autour de l’ensemble du tenant O365 selon des critères définis (cas d’utilisation douteuse par exemple).
Depuis le site d’administration
Le site d’administration d’Office 365 vous permet d’accéder (selon vos droits) à la partie “Security & Compliance” :
Cette page vous permet alors de fournir certains critères de recherche:
- Activity type
- Start & End DateTime
- UsersID (email or O365 login)
- File, folder, url or site
Ces options permettent alors d’exécuter cette recherche et l’expoter en CSV ou de créer une alerte .
Toutes les informations sont fournis pour ce site:
En revanche, quelques restrictions existent sur cette solution dont:
- Nombre de lignes (ou Events) limité à 50’000 max
- Nombre de signes exportés dans la colonne AuditData est limité aux premiers 3’060 chars
Depuis PowerShell
A partir de nombreuses sources sur le Web, je vous fourni le script PowerShell suivant utilisable comme outil de base. Il travaille directement le jeu de résultat en mémoire pour exporter en CSV un résultat compréhensible.
La commande PowerShell utilisée est détaillée ici:
Function Split-O365AuditLogs-FromO365 ()
{
#Get the content to process
Write-host " -----------------------------------------" -ForegroundColor Green[string]$username = "YourAdminAccount@yourtenant.onmicrosoft.com"
[string]$PwdTXTPath = "C:\SECUREDPWD\ExportedPWD-$($username).txt"
$secureStringPwd = ConvertTo-SecureString -string (Get-Content $PwdTXTPath)
$UserCredential = New-Object System.Management.Automation.PSCredential $username, $secureStringPwd#This will prompt the user for credential
# $UserCredential = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-LiveID/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session[DateTime]$startDate = "01/01/2019 00:00" #Format: mm/dd/yyyy hh:MM
[DateTime]$endDate = "01/11/2019 23:59" #Format: mm/dd/yyyy hh:MM
$SpecifiedUserIDs = "Youremailtoscan@yourtenant.com", "Youremailtoscan2@yourtenant.com" #syntax: "<value1>","<value2>",..."<valueX>".$scriptStart=(get-date)
$sessionName = (get-date -Format 'u')+'o365auditlog'
# Reset user audit accumulator
$aggregateResults = @()
$i = 0 # Loop counter
Do {
Write-host " >> Audit Request Details: StartDate=", $startDate, "- EndDate=", $endDate, "SpecifiedUserIDs=", $SpecifiedUserIDs
$currentResults = Search-UnifiedAuditLog -StartDate $startDate -EndDate $enddate -SessionId $sessionName -SessionCommand ReturnLargeSet -ResultSize 1000 -UserIds $SpecifiedUserIDs
if ($currentResults.Count -gt 0)
{
Write-Host (" Finished {3} search #{1}, {2} records: {0} min" -f [math]::Round((New-TimeSpan -Start $scriptStart).TotalMinutes,4), $i, $currentResults.Count, $user.UserPrincipalName )
# Accumulate the data
$aggregateResults += $currentResults
# No need to do another query if the # recs returned <1k - should save around 5-10 sec per user
if ($currentResults.Count -lt 1000)
{
$currentResults = @()
}
else
{
$i++
}
}
} Until ($currentResults.Count -eq 0) # --- End of Session Search Loop --- #
[int]$IntemIndex = 1
$data=@()
foreach ($line in $aggregateResults)
{
Write-host " ItemIndex:", $IntemIndex, "- Creation Date:", $line.CreationDate, "- UserIds:", $line.UserIds, "- Operations:", $line.Operations
Write-host " > AuditData:", $line.AuditData
$datum = New-Object -TypeName PSObject
$Converteddata = convertfrom-json $line.AuditData
$datum | Add-Member -MemberType NoteProperty -Name Id -Value $Converteddata.Id
$datum | Add-Member -MemberType NoteProperty -Name CreationTimeUTC -Value $Converteddata.CreationTime
$datum | Add-Member -MemberType NoteProperty -Name CreationTime -Value $line.CreationDate
$datum | Add-Member -MemberType NoteProperty -Name Operation -Value $Converteddata.Operation
$datum | Add-Member -MemberType NoteProperty -Name OrganizationId -Value $Converteddata.OrganizationId
$datum | Add-Member -MemberType NoteProperty -Name RecordType -Value $Converteddata.RecordType
$datum | Add-Member -MemberType NoteProperty -Name ResultStatus -Value $Converteddata.ResultStatus
$datum | Add-Member -MemberType NoteProperty -Name UserKey -Value $Converteddata.UserKey
$datum | Add-Member -MemberType NoteProperty -Name UserType -Value $Converteddata.UserType
$datum | Add-Member -MemberType NoteProperty -Name Version -Value $Converteddata.Version
$datum | Add-Member -MemberType NoteProperty -Name Workload -Value $Converteddata.Workload
$datum | Add-Member -MemberType NoteProperty -Name UserId -Value $Converteddata.UserId
$datum | Add-Member -MemberType NoteProperty -Name ClientIPAddress -Value $Converteddata.ClientIPAddress
$datum | Add-Member -MemberType NoteProperty -Name ClientInfoString -Value $Converteddata.ClientInfoString
$datum | Add-Member -MemberType NoteProperty -Name ClientProcessName -Value $Converteddata.ClientProcessName
$datum | Add-Member -MemberType NoteProperty -Name ClientVersion -Value $Converteddata.ClientVersion
$datum | Add-Member -MemberType NoteProperty -Name ExternalAccess -Value $Converteddata.ExternalAccess
$datum | Add-Member -MemberType NoteProperty -Name InternalLogonType -Value $Converteddata.InternalLogonType
$datum | Add-Member -MemberType NoteProperty -Name LogonType -Value $Converteddata.LogonType
$datum | Add-Member -MemberType NoteProperty -Name LogonUserSid -Value $Converteddata.LogonUserSid
$datum | Add-Member -MemberType NoteProperty -Name MailboxGuid -Value $Converteddata.MailboxGuid
$datum | Add-Member -MemberType NoteProperty -Name MailboxOwnerSid -Value $Converteddata.MailboxOwnerSid
$datum | Add-Member -MemberType NoteProperty -Name MailboxOwnerUPN -Value $Converteddata.MailboxOwnerUPN
$datum | Add-Member -MemberType NoteProperty -Name OrganizationName -Value $Converteddata.OrganizationName
$datum | Add-Member -MemberType NoteProperty -Name OriginatingServer -Value $Converteddata.OriginatingServer
$datum | Add-Member -MemberType NoteProperty -Name SessionId -Value $Converteddata.SessionId
$data += $datum
$IntemIndex += 1
}
$datestring = (get-date).ToString("yyyyMMdd-hhmm")
$fileName = ("C:\AuditLogs\CSVExport\" + $datestring + ".csv")
Write-Host (" >>> writing to file {0}" -f $fileName)
$data | Export-csv $fileName -NoTypeInformationRemove-PSSession $Session
}Split-O365AuditLogs-FromO365
Vous pouvez utiliser ce script et l’adapter selon vos besoins.
Attention:
La limitation du champs AuditData reste présente même PowerShell, mais Microsoft Support connait le problème et travaille avec le groupe produit pour le fixer
- https://techcommunity.microsoft.com/t5/Office-365/Incomplete-data-from-Search-UnifiedAuditLog-cmdlet-for-AzureAD/td-p/240805
- https://office365itpros.com/2018/10/22/longer-retention-office365-auditdata/
Liens additionnels:
- https://angryanalyticsblog.azurewebsites.net/index.php/2018/02/16/power-bi-audit-log-analytics-solution/
- https://docs.microsoft.com/en-us/office365/securitycompliance/detailed-properties-in-the-office-365-audit-log
- https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log
- https://www.youtube.com/watch?v=KUyE59E3EFY
- https://blogs.msdn.microsoft.com/tehnoonr/2018/01/26/retrieving-office-365-audit-data-using-powershell/
- https://office365itpros.com/2018/10/22/longer-retention-office365-auditdata/
- https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-unifiedauditlog?view=exchange-ps
- https://www.sherweb.com/blog/activity-reports-audit-logs-office-365/
- http://alexbrassington.com/2016/03/03/splitting-office-365-audit-logs/
- https://www.powershellgallery.com/packages/O365_Unified_Auditlog_parser/1.1/Content/O365_Unified_Auditlog_parser.ps1
Fabrice Romelard
Version anglaise:
Commentaires
Enregistrer un commentaire